16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66

General

Target

16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
Size

208KB
MD5

2f96da10b94557294629c6eb6ef81a70
SHA1

cc1f2b8bcb3b16de77411de31fbf485d3eb4e407
SHA256

16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66
SHA512

7f750034ed0c88ae4e4583b5493cee4d770b5df5a2b0f8b7ff945deff6032bed98026fc6eb3fda2071cdc0f92e0b3562af1942eabe0f939f8c7d42ef9bbdd2db
SSDEEP

6144:r4MvOhI6mea/z/n5HQjzcbB3SEMQhOOQEjE:UFOv/z/NYEVhOOQn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	IVWPWRC.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\IVWPWRC.exe	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
File opened for modification	C:\windows\SysWOW64\IVWPWRC.exe	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
File created	C:\windows\SysWOW64\IVWPWRC.exe.bat	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IVWPWRC.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
2200	IVWPWRC.exe
2200	IVWPWRC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
2200	IVWPWRC.exe
2200	IVWPWRC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2896	2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe	30
PID 2560 wrote to memory of 2896	2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe	30
PID 2560 wrote to memory of 2896	2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe	30
PID 2560 wrote to memory of 2896	2560	16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe	30
PID 2896 wrote to memory of 2200	2896	cmd.exe	32
PID 2896 wrote to memory of 2200	2896	cmd.exe	32
PID 2896 wrote to memory of 2200	2896	cmd.exe	32
PID 2896 wrote to memory of 2200	2896	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe
"C:\Users\Admin\AppData\Local\Temp\16e6f1b7abf64080eca87dbd6fd329cbbaa27e544127b675065acf7495681f66N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\system32\IVWPWRC.exe.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\windows\SysWOW64\IVWPWRC.exe
    C:\windows\system32\IVWPWRC.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\IVWPWRC.exe.bat

Filesize
78B

MD5
cec59eace3dcf112306b7ee18fb05d90

SHA1
ea9b92bb118c204beb8da2792723ecb766be4e3d

SHA256
0a1378ab649333f0334e1fc72a2d33a481f5be0407add936d82bec50d35b83ac

SHA512
736a82a46bab87fb75b7ca8e4cfaf5911980772f88ab8811564c4604f23bf90b1cb436f234d48f32f4d49f54e344c642e4cf68189b5b4f96b328a6d59bc098ea

Download Submit
\Windows\SysWOW64\IVWPWRC.exe

Filesize
208KB

MD5
51b1c703d556e6d9c8f7d24d453f215a

SHA1
1a5ceb01af2075057619c66bcd54a333e0ee471e

SHA256
dda0a4bfe62ba4085b00745c0dba08d475d775c50b34fe62bcb7255ef1859799

SHA512
195e3481689687b96513d932dc965f6ceb104f8c8cf41c17e16104bda92241926d609da9e32dd535517e2ce80919dddef8fd3bcfa6ce0353dbf508b7957387d6

Download Submit
memory/2200-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2560-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2560-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2896-18-0x0000000000100000-0x0000000000138000-memory.dmp

Filesize
224KB

Download
memory/2896-17-0x0000000000100000-0x0000000000138000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing